Getting Past Passwords and a Secure Future

Passwords are like pencils: They have been overtaken by
superior technologies but have resisted all attempts to kill
them off. They survive because they are portable and flexible
in ways that more-advanced alternatives are not.

"Passwords are great," says Paul Kocher, president and chief
scientist of San Franciscobased Cryptography Research, which provides
sophisticated information security systems to banks,
corporations and government agencies. "Except for security,
passwords are pretty much ideal. For security, they are 99
percent broken."

Kocher notes that "a huge amount of work" has gone into
developing better systems for authenticating individuals
logging on to computing devices or online services. "The
question is, will it succeed? There is nothing at large scale
that seems likely to replace passwords."

Security experts have been warning for years about the
vulnerability of passwords. We've been living in a world of
50-year-old technology," says Phillip Dunkelberger, a Silicon
Valley veteran who is president and CEO of Nok Nok
Labs, a two-year-old company selling stronger
authentication approaches.

Together with Ponemon Institute, a research firm
specializing in privacy and data protection issues, Palo Alto,
Californiabased Nok Nok published a survey in April indicating
consumers' openness to more-reliable technologies. When asked
to name their preferred biometric methods for identity
verification, more than 80 percent of nearly 2,000
"technology-literate" respondents in Germany, the U.S. and the
U.K. listed voice recognition, followed by 70 percent for
facial scans and 60 percent each for hand geometry and
fingerprints.

Taking strong authentication mainstream will require not
just mass acceptance but also an ecosystem of technologies,
support services, corporate users and in some cases regulatory
approval  and that is beginning to take shape.

The need for something better is obvious given the epidemic
of identity theft and headline news like the April 23 hack into
the Associated Press's Twitter feed, which spread false reports
of explosions in the White House. That event set off
predictable calls for stronger verification for Twitter
accounts, perhaps by adding a biometric method. Adding a
fingerprint or other incontrovertibly unique identifier to a
log-on name and password delivers so-called multifactor
authentication  and certainly a higher comfort
level.

Such approaches are common in the corporate world. Bank
employees sign in using one-time personal identification
numbers generated by portable tokens like EMC Corp.'s SecurID
products. Many of the 315,000 users of Bloomberg Professional
terminals log on with fingerprints; the financial data network
introduced biometric authentication in 2001.

Expanding from corporations to the mass market requires a
leap in logistics and economics. Cryptography Research founder
Kocher points out that a financial institution would find it
reasonable to spend $50 per employee to implement higher-order
authentication. But it would likely consider $50 per customer
prohibitive, he says, although it might be cost-justified in
certain "high-value relationships" to issue, say, a smart card
with an embedded chip that better secures the password and can
store other identity data.

On the technology front companies such as California-based
Fortinet, Poland's Rublon and Sweden's Keypasco and
Yubico are marketing two-factor security enhancements,
if not a path completely away from passwords.

Nok Nok Labs' mission is to reduce or eliminate reliance on
log-in names and passwords, using what it calls unified
authentication infrastructure to accommodate any number of
biometric and nonbiometric methods and manage the transition
from legacy systems. Underlying the architecture is the online
secure transaction protocol, which is open to other vendors.
Dunkelberger, for one, believes collaboration will be necessary
to change the old order. He is behind the Fast
IDentity Online Alliance, formed last year to set device
interoperability standards and address "the problems users face
with creating and remembering multiple user names and
passwords."

A U.S. government initiative, the National Strategy for
Trusted Identities in Cyberspace, calls for public and private
sector participation in an "identity ecosystem that improves on
the use of passwords and user names."